Abstract
Alert Correlation is a process that analyses the alerts produced by one or more Intrusion Detection Sensors and provides a clear picture of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. The idea of prerequisites of an intrusion, that is the necessary condition for the intrusion to be successful and the possible outcomes of intrusion is the consequences. This method also help us to correlates two alerts if the consequence of the earlier alert prepares for the prerequisites of the later one. In this system, before alert classification we are performing normalization, pre-processing, and alert correlation. In correlation phase there are two types of correlation, which are duplicate removal (alert fusion) and consequence correlation. Thus the resulting alert set is clustered. Based on this analysis of the alert set, the prioritization component assigns an appropriate priority to every alert. This priority information is important for quickly discarding information that is irrelevant or of less importance. The second way of prioritizing is based on the number of alerts coming from the networked systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: IEEE Proceedings Security and Privacy, pp. 202–215 (2002) ISSN: 1081-6011
Anderson, D., Fong, M., Jonsson, E., Valdes, A.: Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis. In: The Proceedings of IEEE Assurance and Security Workshop (2002)
Yusof, R., Selamat, S.R., Sahib, S.: Intrusion Alert Correlation Technique Analysis for Heterogeneous Log. International Journal of Computer Science and Network Security 8(9) (2008)
Julisch, K.: Clustering Intrusion Detection Alarms to Support Root Cause Analysis. ACM Transactions on Information and System Security 2(3), 111–138 (2003)
Yusof, R., Selamat, S.R., Sahib, S.: Intrusion Alert Correlation Technique Analysis for Heterogeneous Log. IJCSNS International Journal of Computer Science and Network Security 8(9) (2008)
Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building Attack Scenarios through Integration of Complementary Alert Correlation Method. In: NDSS (2004)
Valeur, F., Vigna, G., Krügel, C., Kemmerer, R.A.: A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transactions, Dependable Secure Computing 1(3), 146–169 (2004)
Curry, D., Debar, H.: Intrusion Detection Message Exchange Format: Extensible Markup Language (XML) Document Type Definition. draft-ietf-idwg-idmef-xml-10.txt (January 2003)
Cheung, S., Lindqvist, U., Fong, M.: Modeling Multistep Cyber Attacks for Scenario Recognition. In: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX III), pp. 284–292 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mallissery, S., Praveen, K., Sathar, S. (2011). Correlation of Alerts Using Prerequisites and Consequences for Intrusion Detection. In: Das, V.V., Thankachan, N. (eds) Computational Intelligence and Information Technology. CIIT 2011. Communications in Computer and Information Science, vol 250. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25734-6_114
Download citation
DOI: https://doi.org/10.1007/978-3-642-25734-6_114
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25733-9
Online ISBN: 978-3-642-25734-6
eBook Packages: Computer ScienceComputer Science (R0)